Exchange Solutions

A homoglyph is when a glyph (or character) from one character set looks identical to that of another character set. For example, the lower-case letter “а” from the Cyrillic alphabet appears to be identical to the lower-case letter “a” from the Latin alphabet.

While seemingly identical to the human eye, they are very different for a computer. Pasting a string that contains each of these characters into a web browser will take you to very different places.

Homoglyphs are frequently used in URL impersonation attacks because their substitution is indistinguishable to the human eye.

Homoglyphs are also more effective than other forms of impersonation, such as replacing lowercase “m” with “rn,” which can look almost identical in some fonts—for example, arnazon.com versus amazon.com. Or impersonation that preys on common misspellings—for instance, micosoft.com

So just how identical can a homoglyph attack be? In the next section, we will explore an example.

Note: To keep everyone safe, we have used screenshots for all impersonated domains.

Creating a homoglyph

To create an impersonated domain, we are going to use the Homoglyph Attack Generator at irongeek.com. From this page, we first need to type in the domain we want to impersonate. I am going to use supertekboy.com.

The generator then allows us to swap out each letter with a letter from another character set. The first two rows are the Latin character set in upper and lower case. However, several other character sets, including Cyrillic, are included.

Using the generator, we can switch one or more letters with those from a different character set. Let’s change the Latin letter “e” for the Cyrillic letter “e” (Unicode 435). This gives us the output below. Can you tell the difference?

If you were to click that link or cut and paste the URL into a browser, you would be redirected to the following URL.

Were a bad actor to register this redirected domain, they could use it as a launchpad for any number of attacks, such as delivering a malicious payload, social engineering, or password capture. (I believe some domain registrars are blocking these types of domains).

If you receive an error during an uninstall that is never a good thing. But what happens when you clear the error and Exchange is in a partially uninstalled state. Restarting the uninstall from Control Panel > Programs and Features may result in an error like this.

An incomplete installation was detected. Run setup to complete Exchange installation.

To uninstall you are going to need the Exchange installation ISO. Once you have the ISO mounted open an elevated command prompt and change to the ISO drive letter (e.g. “cd D:”). Then run the following command.

D:\> setup.exe /mode:uninstall

The mode parameter allows you to specify the installation method. In our case, we specify we want to perform an uninstall. You can read about the various parameters in the following article.

The Exchange uninstall will then pick up where it left off. In my case, the Exchange installation failed during the removal of the Transport Services. The Mailbox and Client Access roles had already been successfully removed, so that is where it picked back up.

Microsoft Exchange Server 2013 Cumulative Update 23 Unattended Setup
Mailbox role: Mailbox service
Mailbox role: Unified Messaging service
Mailbox role: Client Access service
Mailbox role: Transport service
Client Access role: Front End Transport service
Client Access role: Client Access Front End service
Languages

Performing Microsoft Exchange Server Prerequisite Check

   Configuring Prerequisites                            COMPLETED
   Prerequisite Analysis                                COMPLETED

Configuration Microsoft Exchange Serve

   Preparing Setup                                      COMPLETED
   Mailbox role: Transport Services                     COMPLETED
   Client Access role: Front End Transport service      COMPLETED
   Client Access role: Client Access Front End service  COMPLETED
   Languages                                            COMPLETED
   Stopping Services                                    COMPLETED
   Removing Exchange Files                              COMPLETED
   Restoring Services                                   COMPLETED
   Finalizing Setup                                     COMPLETED

The Exchange Server setup operation completed successfully.

With the uninstall of Exchange complete you can now continue with the remainder of your decommission process.

Have you seen this issue before? What did you do to fix it? Drop a comment below or join the conversation on Twitter @SuperTekBoy

When accessing the certificates from a remote Exchange Server via the Exchange Admin Center you may receive the following error.

Cannot connect to the remote procedure call service on the server named <server name>. Verify that a valid computer name was used and the Microsoft Exchange Service Host service is started.

What makes this error difficult to troubleshoot are the other areas of remote management (such as managing the virtual directories of another server) work as expected.

This error also occurs in the Exchange Management Shell when running the Get-ExchangeCertificate command.

 C:\> Get-ExchangeCertificate -Server EX16-02

Cannot connect to the remote procedure call service on the server named EX16-02. Verify that a valid computer name was used and the Microsoft Exchange Service Host service is started.